Are you using the same password for everything? You probably are, aren’t you? “That’s okay,” you’re thinking, “It’s a really, really hard password. Nobody will ever get it.”

Not so fast, fish-breath.

A recent post on the Twitter Status blog details a new way that some crafty crackers are stealing passwords. It basically works like this: You join a perfectly legitimate online community, a website that lets you share your favorite YouTube piano-playing-cat videos, for example, or a forum to discuss new ways of getting fourth-graders to study American history. A few months pass and you are happily sharing videos of Mittens hammering Beethoven or explaining to new friends why 8-year olds should learn about Crispus Attucks. Little did you know that the community you joined — the one that’s hosted in San Francisco and run by an innocent-sounding little Internet start-up — is actually owned by a couple of Russian teenagers who built the thing overnight for $32.

Now these kids have a database of all 8,319 other feline-loving and / or elementary school teachers that are using their site. And they have your username. And your email address. And your password.

It’s the same password you use at Amazon and PayPal, isn’t it?

And it’s the same password you use at Amazon and PayPal, isn’t it? It’s the same password you used when you created your GMail account and your Twitter account, too, isn’t it? And I’m guessing you used the same email address and password for iTunes, right? Now, my friend, you are screwed.

There’s really only one way to avoid this, of course:
Don’t use the same password for everything!

That’s a tall order these days. There’s no way I’d remember the dozens and dozens of passwords I use on a daily basis if every single one was unique. I have a set of five or six different passwords that I use. Some are for throwaway use, like on video game sites or e-commerce sites I know I’ll not care if they’re stolen. Some are for social networking sites, like Twitter and WordPress and Facebook. And some — the ones that have lots of punctuation marks and numbers and are more than eight characters long — are for banks and credit cards. That way if someone ever does manage to hack Twitter it doesn’t mean they can get into my checking account, too.

It’s not the best solution. The best solution would be to actually create a unique username and password for every single account you ever create, and to use different GMail aliases for all of them. But nobody is that paranoid. Are you?


There are 2 comments on this post

  1. Just switched to using lastpass.com – now I have unique 12 character alpha/numeric/punctuation based passwords for every site, but only one (VERY strong) password to remember to use them.

  2. Is lastpass.com run by a couple of Russian teenagers that built it overnight for $32.

Add to the discussion:

I'll never share your email address and it won't be published.

What Is This?

davidgagne.net is the personal weblog of me, David Vincent Gagne. I've been publishing here since 1999, which makes this one of the oldest continuously-updated websites on the Internet.

bartender.live

A few years ago I was trying to determine what cocktails I could make with the alcohol I had at home. I searched the App Store but couldn't find an app that would let me do that, so I built one.

Hemingway

You can read dozens of essays and articles and find hundreds of links to other sites with stories and information about Ernest Hemingway in The Hemingway Collection.